Privacy Policy

Last updated: 20 April 2026

Who we are

GetSilk is operated by Joe Bendle, a sole trader based in London, United Kingdom.

Trading name: GetSilk
Website: getsilk.co.uk
Contact email: [email protected]
ICO registration: Pending (registration in progress with the Information Commissioner's Office)

GetSilk provides a guest feedback and review management service for hotels. We collect guest feedback via WhatsApp, use artificial intelligence to analyse sentiment and generate review drafts, and provide hotels with operational intelligence through a dashboard.

How this policy applies

This privacy policy explains how we handle personal data in two contexts:

Hotel customers — if you are a hotel using GetSilk, this policy covers how we handle your account information and business data.
Hotel guests — if you are a guest who has received a WhatsApp message from GetSilk after your hotel stay, this policy explains how your feedback and personal data is processed.

What data we collect

From hotel customers

When a hotel signs up to GetSilk, we collect:

Hotel name, address, and contact details
General manager or primary contact name and email address
Dashboard user email addresses
Google Business Profile and TripAdvisor URLs
Payment information (processed securely via Stripe — we do not store card details)
Service configuration preferences (themes, trigger timing, recovery window)

Lawful basis: Contract — this data is necessary to provide the service the hotel has subscribed to.

From hotel guests

When a hotel uses GetSilk, we process the following guest data on behalf of that hotel:

Guest name
Guest mobile phone number
Room number and checkout date
WhatsApp messages sent and received (including voice notes and text replies)
Voice note audio recordings
Transcriptions of voice notes
AI-generated sentiment scores and theme analysis
AI-generated review drafts
Whether the guest approved or edited their review

Lawful basis: Legitimate interest — the hotel has a legitimate interest in collecting guest feedback to improve its service and manage its online reputation. The guest's interests are protected by the limited data collected, short retention periods, the service recovery window (giving hotels time to resolve issues before reviews are published), and the guest's ability to approve, edit, or decline any review before publication.

How guest data flows through our system

When a guest checks out of a partner hotel, the following happens:

The hotel's property management system sends us the guest's name, phone number, room number, and checkout date.
We send the guest a WhatsApp message on behalf of the hotel, inviting them to share feedback about their stay.
If the guest replies (by voice note or text), their response is processed by our AI systems to generate a sentiment score, identify themes, and draft a review.
The guest receives the draft review and can approve it as-is, edit it, or simply not respond.
If approved, the guest receives a link to publish the review on Google or TripAdvisor. The guest must take active action to publish — we never publish reviews without explicit guest approval.
The hotel sees anonymised theme scores and sentiment data on their dashboard.

Guests are never obligated to respond. If a guest does not reply to the WhatsApp message, no further messages are sent and no data beyond their name and phone number is retained (subject to the retention periods below).

Sub-processors

We use the following third-party services to deliver GetSilk:

Provider	Purpose	Location	Data processed
360dialog GmbH	WhatsApp Business API	Germany (EU)	Guest phone numbers, message content
OpenAI Inc.	Voice note transcription	United States	Voice note audio files
Anthropic Inc.	Sentiment analysis, theme extraction, review generation	United States	Transcribed text, guest feedback
Cloudflare Inc.	Application hosting, database, CDN	Global (primary: EU/UK)	All application data
Stripe Inc.	Payment processing	United States	Hotel payment details (not guest data)
Resend Inc.	Transactional email delivery	United States	Hotel contact email addresses, alert content

All sub-processors with US operations process data under Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms compliant with UK GDPR.

International data transfers

Some of the data we process is transferred outside the United Kingdom:

Voice note transcription is processed by OpenAI in the United States.
Sentiment analysis and review generation is processed by Anthropic in the United States.
WhatsApp messaging is routed through 360dialog in Germany (covered by the UK-EU adequacy decision).

These transfers are protected by Standard Contractual Clauses incorporated into our agreements with each provider. Both OpenAI and Anthropic have confirmed that API data is not used to train their models.

How long we keep data

Data type	Retention period	Reason
Voice note audio files	7 days from receipt	Deleted once transcription is confirmed accurate. Minimises storage of raw audio.
Raw conversation data (transcripts, messages, guest phone numbers, guest names)	12 months from date of conversation	GDPR-defensible retention period. Hotels rarely need to revisit individual conversations beyond a year.
Derived and aggregated data (sentiment scores, theme breakdowns, response rates, published reviews)	Permanent (for life of account)	This is the long-term value layer — year-on-year comparisons, seasonal patterns, operational trends. Data at this level is anonymised or easily anonymisable.

When a hotel cancels their account

We offer a full data export before the account closes.
Within 30 days of cancellation, all identifiable data is permanently deleted — raw conversations, transcripts, guest phone numbers, guest names, voice notes, dashboard accounts, login credentials, and hotel configuration.
We retain anonymised aggregate statistics permanently (review counts, sentiment scores, response rates, theme distributions). These contain no hotel name, no guest data, and no personally identifiable information.

Your rights

If you are a hotel guest

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your personal data. If you ask us to delete your data, we will remove your name, phone number, transcripts, and any associated feedback within 30 days. Any review you have already published on Google or TripAdvisor is controlled by that platform and must be removed there directly.
Restriction — request that we limit how we process your data.
Objection — object to our processing of your data on legitimate interest grounds.
Portability — request your data in a portable format.

How to exercise your rights: Email [email protected] with your name and the hotel you stayed at. We will respond within 30 days.

If a guest did not respond to our WhatsApp message and wishes to ensure no data is held, they can contact us and we will confirm deletion.

If you are a hotel customer

You have the same rights as above. Additionally, you can request a full export of all data associated with your hotel account at any time by contacting us.

Data security

We take the following measures to protect personal data:

All data is encrypted in transit (TLS/HTTPS) and at rest.
Database access is restricted to authenticated and authorised users only.
Dashboard access uses magic-link authentication — no passwords are stored.
Voice note audio is automatically and permanently deleted after 7 days.
Sub-processor access is limited to the minimum data required for their function.
We regularly review access controls and security practices.

Cookies

The GetSilk dashboard uses essential functional cookies only:

Session cookie — keeps you logged in to the dashboard. Expires when you close your browser or after 7 days of inactivity.

We do not use tracking cookies, advertising cookies, or any third-party analytics on the dashboard. The getsilk.co.uk marketing website does not use cookies.

Children

GetSilk is a business-to-business service for hotels. We do not knowingly collect or process personal data from anyone under the age of 18. If a hotel guest is under 18 and has provided feedback, a parent or guardian may contact us to request deletion.

Changes to this policy

If we make material changes to this policy, we will notify hotel customers by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

How to contact us

For any privacy-related questions or requests:

Email: [email protected]

How to complain

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to resolve your concern directly before you contact the ICO. Please email us first and we will do our best to put things right.

Lawful basis summary

Processing activity	Lawful basis	GDPR Article
Providing the service to hotels	Contract	6(1)(b)
Processing guest feedback on behalf of hotels	Legitimate interest	6(1)(f)
Sending WhatsApp messages to guests	Legitimate interest	6(1)(f)
Retaining anonymised aggregate statistics	Legitimate interest	6(1)(f)
Sending service alerts to hotel staff	Contract	6(1)(b)
Processing payments via Stripe	Contract	6(1)(b)